Professional Service firms performed well during the past three difficult years, demonstrating resilience. What are the lessons for enterprise risk management from this performance?

Risk Management and the Nature of Risk

A common criticism of traditional risk management is that it assumes high levels of control exist. The so called 4T’s approach, for example, sets out alternatives for risk treatment: Tolerate, Treat, Transfer, Terminate. The results may then be reflected in an organization’s risk appetite statement, which is a good indicator of the scope of risk policies and of the risk culture.

Simple risks where causes and effects are clear, can thus be managed. External changes add complexity to these otherwise simple risks. What if there is limited data or the risk emanates suddenly from outside the organization? Judgment becomes more difficult when our risk assessments are based on our past experience. A void may exist.

Resilience Lessons from COVID

Risk registers may have captured pandemics, but specific preparation was unlikely. Fortunately, there were favorable factors. There was time to develop the response as the crisis developed. Largely sympathetic stakeholder groups were dealing with the same circumstances. Organizations with sound governance and values were best able to navigate the conditions.

Attention has rightly therefore turned to the concept of resilience. This is the ability to withstand shocks and return to normal operations. Many organizations displayed resilience by managing the basics, such as finances, communication with stakeholders and by applying their established business continuity procedures. IT agility was a key success factor.

The business models employed by professional service firms appear to have been relatively successful in enabling them to trade through the uncertainty that existed at the outset. Internal resources devoted to crisis management and business continuity kicked in to provide the necessary support for people and operations, including of course the shift to remote working.

Crisis response does not exist in a void and societal and political influence comes into play shaping external perceptions and expectations. Even with unexpected shocks, old problems exist and must be managed, including threats to reputation and the risk that bias may obscure sound judgement.

Four Resilience Building Blocks

So, we have learnt the value of resilience and the importance of coordinating resources, having procedures already in place, and embedding a risk culture. But there is still much to learn from the past three years and opportunity to apply the lessons learnt to the future.

• Aligned incident and crisis management should be in place.
• There is continuity with, and similarities to, past crises and lessons can be applied. However, decisions cannot depend entirely on hindsight.
• Avoid optimism, recency, and status quo bias. Information and rational assessment are key.
• The need for a coordinated multidisciplinary internal response is emphasized by the interconnectivity between risks in today’s world, as displayed in The Global Risk Landscape Interconnection Map in WEF’s Global Risks Report 2023.

We will further explore the concept of emerging risks and resilience in future articles.

Read other articles on Enterprise Risk Management.

Contact

The Professional Services Practice at Aon values your feedback. If you have any comments or questions, please contact Keith Tracey.

Keith Tracey
Managing Director
London